The code above clearly shows a classical CookieBomb Javascript infection. What is it? In poor words, first, there is control if a cookie is present and if it matches no action is taken, otherwise it will be built an iframe that goes to the landing page.

What interests us is the landing page, in this case:

hxxp://www.caravellesardegna.it/images/esd.php

Luckily for us, I managed to take when it was active and redirects the victim to an infected page:

What it does? First “innocent-absurd_obey.js” (http://pastebin.com/EQjhA1SE) is the JS devoted to the control and information gathering of the browser and related plugins installed, why? Because this “ExploitKit” drops among the other things the CVE-2013-2465.

After that injection and malware routine are completed, the system reboot and the fake page spawned.

In the Windows reference we read:
“In the wild, we have observed variants of Trojan:Win32/Reveton downloading these DLL files, images and other bundled malware from the following IP addresses, using port 80 or 443”